[145161] in North American Network Operators' Group
Re: Synology Disk DS211J
daemon@ATHENA.MIT.EDU (Joel jaeggli)
Thu Sep 29 22:12:49 2011
Date: Thu, 29 Sep 2011 19:10:10 -0700
From: Joel jaeggli <joelja@bogus.com>
To: Robert Bonomi <bonomi@mail.r-bonomi.com>
In-Reply-To: <201109300046.p8U0k9l9061612@mail.r-bonomi.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 9/29/11 17:46 , Robert Bonomi wrote:
>> From: Nathan Eisenberg <nathan@atlasnetworks.us>
>> Subject: RE: Synology Disk DS211J
>> Date: Thu, 29 Sep 2011 21:58:23 +0000
>>
>>> And this is why the prudent home admin runs a firewall device he or she
>>> can trust, and has a "default deny" rule in place even for outgoing
>>> connections.
>>>
>>> - Matt
>>>
>>>
>>
>> The prudent home admin has a default deny rule for outgoing HTTP to port
>> 80? I doubt it.
>>
>
> No, the prudent nd knowledgable prudent home admin does not have default deny
> rule just for outgoing HTTP to port 80.
>
> He has a defult deny rule for _everything_. Every internal source address,
> and every destination port. Then he pokes holes in that 'deny everything'
> for specific machines to make the kinds of external connections that _they_
> need to make.
Tell me how that flys with the customers in your household...
> Blocking outgoing port 80, _except_ from an internal proxy server, is not
> necessrily a bad idea. If the legitimte web clients are all configured
> to use the proxy server, then _direct_ external connection attempts are
> an indication that something "not so legitimate" may be runningunning.
>
>
>
>
